As we continue to extend our research on the six types of CISOs, we’ve witnessed a common issue that plagues security leaders that I’ve termed “the Da Vinci fallacy,” defined as:
The Da Vinci fallacy asserts that CISOs must be polymaths/experts possessing mastery of skills across domains of security, technology, strategy, marketing, finance, economics, people, communication, behavior, and more to be truly effective.
The Da Vinci fallacy ignores whether it is reasonable for any leader — much less CISOs — to obtain mastery in each of those domains in a single lifetime. This is a cybersecurity leader-specific version of the “Nirvana fallacy,” also known as the “perfect solution fallacy.” We created the Da Vinci Fallacy due to a common rebuttal to our research on the six types of CISOs:
“Good/great CISOs need to have each type in them; they can’t just be one if they want to be effective.”
We don’t disagree that obtaining mastery in each of these areas would make one a phenomenal CISO. In fact, it would make one a generational CISO. But generational talents feature a specific characteristic: rarity. Whether discussing innovation and Da Vinci, mathematics and Newton, basketball and Michael Jordan, baseball and Mike Trout, writing and Hunter S. Thompson . . . the mere fact that we can name them means that they stood that far above their contemporaries. Each of them share another characteristic: the fusion of natural talent, work ethic, opportunity, and timing. And, of course, circumstances dictate the most valuable skills, such as adopting transformational CISO characteristics during COVID-19.
The Insidious Nature Of The Da Vinci Fallacy
Becoming a once-in-a-generation CISO works as a noble goal. It’s a summum bonum that should be aspired to. However, it’s also unrealistic, because believing that you must cultivate mastery of each domain leads to unrealistic expectations. Those unrealistic expectations result in insecurity (in the individual), destabilizes work/life balance, harms mental health, and inevitably leads to burnout. That perpetuates the Da Vinci fallacy gatekeeper access to the role, cementing it in an unobtainable, exclusive realm where existing mastery is prioritized over skills development.
The Da Vinci Fallacy Treats Symptoms, Not The Underlying Illness
The Da Vinci fallacy includes another glaring issue — it’s a symptom of an underlying ailment: CISOs often fail to strategize security based on the use cases of their non-security stakeholders. When rebuttals to the six types arise, the subtext is actually saying something like this example: CISOs need to become experts on marketing because we need to understand marketing to secure it. And that sentiment is so very close to being right — but not quite. CISOs — and their teams — need to understand the context of marketing and marketing use cases to secure them. This does not require CISOs to become marketing experts. It requires CISOs to understand what marketing is doing, associated risks, and how attackers can sabotage it.
As CISOs discuss their disconnect from the business, becoming an expert in each of those business domains is NOT the answer. An example of this is included in our report, “The Top Five Emerging Technologies Security Leaders Need To Prepare For,” which debuts our use-case-focused approach to cybersecurity for CISOs.
CISO Success Does Not Mean Becoming Da Vinci
Relationships matter, both inside and outside the company. Isolated experts have a place, mainly in fantasy novels where the hero stumbles on them and receives exactly the training they need to defeat the villain. But effective leaders link people together, forging success from a combination of diverse, varied viewpoints.
Part of this is recognizing what energizes you as a leader and what your company needs. For leaders that love driving change, find companies that need a transformational CISO. Leaders that love high-stress, high-stakes efforts should focus on post-breach CISO roles. CISOs who love working with customers should prioritize companies that need customer-facing evangelists. This leads to “CISO-company fit,” which then allows them to identify the other skills they need.
Do not fall for the Da Vinci fallacy. The research that we produce will continue to focus on helping security leaders overcome the Da Vinci fallacy, emphasizing pragmatic approaches to transformation, leadership, and cybersecurity.